Sunday, December 18, 2016

How to reset Solaris 11 root password in a minute using kmdb

Following a bit outdated, ufs-based method from "Using kmdb to reset lost Solaris root password" article, we still use uiomove break point. Apply kmdb and single-mode options to the grub kernel line and boot the machine. Wait for the SINGLE USER MODE message,  type "root" for the user name. Now wait a minute until smf services run and then switch to kmdb prompt (F1-a) right after "Enter root password (control-d to bypass):" message.

































Set break point at uiomove+0xc and type :c to continue. You will need to step forward by pressing :u and :c two or three times and look for the state where zfs`dmu_read_uio_dnode calls zfs`dmu_read_uio_dbuf and finally uiomove:































On the screenshot below we found "/etc/shadow" data in ffff810042207c00. Now all what we need is to change the first character of the root password to ":" and, after removing break point and continue, we get the root shell prompt:



















Now you can reset the password and reboot.